Application No. 10/591,433 

Reply to Office Action of July 21, 2009 

REMARKS/ARGUMENTS 

Favorable reconsideration of this application is respectfully requested in view of the 
above amendments and the following remarks. 

Claims 1-15 are pending in this application. By this amendment. Claims 1-6 and 8-15 
have been amended. Support for the amendments to Claims 1 and 13 is found, by way of 
non-limiting example, in the specification page 12, line 26 to page 13, line 11. The other 
amendments to the claims are formal in nature. Accordingly, it is respectfully submitted that 
no new matter has been added. 

In the outstanding Office Action, a substitute specification was required pursuant to 
37 C.F.R. § 1. 125(a); Claims 1-15 were rejected under 35 U.S.C. § 112, second paragraph, as 
being indefinite; Claims 1-15 were rejected on the ground of non«statutory obviousness-type 
double patenting as being unpatentable over Claims 1-24 of U.S. Patent No. 7,512,917 B2; 
Claims 1-3, 7, 9, 1 1, and 13-15 were rejected under 35 U.S.C. § 102(b) as being anticipated 
by Stroud et al. (Applying Built-in Self-Test to Majority Voting Fault Tolerant Circuits, IEEE 
1998, hereinafter " Stroud "): Claim 4 was rejected under 35 U.S.C. § 103(a) as being 
unpatentable over Stroud in view of Kraus et al. (U.S. Patent No. 6,587,979 Bl, hereinafter 
"Kraus"); Claim 5 was rejected under 35 U.S.C. § 103(a) as being unpatentable over Stroud 
in view of Baeg et al. (U.S. Patent No. 5,805,608, hereinafter "Baeg"); Claim 6 was rejected 
under 35 U.S.C. § 103(a) as being unpatentable over Stroud in view of Lai et al. (U.S. Patent 
No. 6,691,079 Bl, hereinafter "LM"); Claims 8 and 12 were rejected under 35 U.S.C. 
§ 103(a) as being unpatentable over Stroud in view of Gaubatz (U.S. Patent No. 5,621,776); 
and Claim 10 was rejected under 35 U.S.C. § 103(a) as being unpatentable over Stroud in 
view of Dennis et al. (U.S. Patent No. 4,517,154, hereinafter " Dennis "). 
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Responsive to the requirement of a substitute specification, the specification. 
Abstract, and claims have been revised to correct informalities. Accordingly, it is 
respectfully requested that this requirement be reconsidered and withdrawn. 

Responsive to the rejection of Claims 1-15 under 35 U.S.C. § 1 12, second paragraph, 
as being indefinite, Claims 1 and 13 have been amended. Claim 1 now recites "a plurality of 
functional units having logic circuitry in which output logic patterns resulting from input 
logic patterns have been verified in advance of installation in the safety protection system." 
Claim 13 now recites similar subject matter in method format Accordingly, it is respectfully 
submitted that the language of Claims 1 and 13 has been clarified. Accordingly, it is 
respectfully requested that this rejection be reconsidered and withdrawn. 

Responsive to the rejection of Claims 1-15 on the grounds of non-statutory 
obviousness-type double patenting as being unpatentable over Claims 1-24 of U.S. Patent No. 
7,512,917 B2, it is recognized that one potential response may include the filing of a terminal 
disclaimer. However, by this amendment. Claims 1 and 13 have been amended to recite "so 
as to form a logic structure in which the logic structure of the combination of the plurality of 
function units is different from the logic structure of each of the plurality of functional units 
individually." This feature is not recited in Claims 1-24 of U.S. Patent No. 7,512,917 B2. It 
is therefore respectfully submitted that Claims 1-15 are not obvious over Claims 1-24 of U.S. 
Patent No. 7,512,917 B2. Accordingly, it is respectfully requested that the rejection of 
Claims 1-15 on the grounds of non-statutory obviousness-type double patenting be 
reconsidered and withdrawn. 

Claims 1 and 13 recite, in part: 

so as to form a logic structure in which the logic structure of 
the combination of the plurality of functional units is different 
from the logic structure of each of the plurality of functional 
units individually. 
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It is respectfully submitted that these features are neither disclosed by nor rendered obvious 
by Stroud, Kraus, Baeg, Lai, Gaubatz, Dennis or any conceivable combination thereof. 

Stroud describes fault tolerant circuit designs for use in nuclear reactor protection 
systems.^ In Stroud Built-in Self-Test (BIST) and Built-in Logic Block Observer (BILBO) 
are discussed.^ Stroud indicates that "[m]ajority voting fault tolerant circuits are constructed 
by replicating the original, non- fault- tolerant circuit and incorporating one or more majority 
voting circuits (MVCs) at the output(s) of the replicated circuit modules."^ Stroud indicates 
that "majority voting based fault tolerant circuit with constant degree of redundancy, R, is 
completely testable for all single (multiple) stuck-at faults.""^ In Stroud "[t]o verify the 
correct operation of the fault tolerant circuit in the presence of faults, the BIST circuit is 
configured to form R identical n+m-stage Circular BIST chains."^ In the Modified Circular 
BIST technique, "[mjultiplexers sharing a common control input are incorporated between 
each of the R input and output sections of the Circular BIST chain to configure the chain into 
one large chain or R identical chains."^ 

Stroud further describes a proposed modified BILBO implementation in which "each 
circuit module has w-inputs and w-outputs."^ This implementation includes "R identical 
stage BILBOs to operate independently as well as together as a single R/z-stage BILBO."^ 
Thus, "R BILBOs to be combined together to form a single Rw-stage BILBO generating 2^- 
1 test patterns to the entire group of replicated circuit modules."^ 

There is no description in Stroud that combining circuit modules, as shown for 
example in Figure 1 and Figure 2, forms a logic structure in which the logic structure of the 

* Introduction. 

^ Introduction. 

^ Background. 

^ Background. 

^ Modified Circular BIST. 

^ Modified Circular BIST. 

^ Modified BILBO. 

^ Modified BILBO. 

^Modified BILBO. 
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combination of the plurality of functional units is different from the logic structure of each of 
the pluraUty of functional units individually as recited in Claims 1 and 13. Therefore, Stroud 
fails to anticipate Claims 1 and 13. 

Kraus. Baeg, I^, Gaubatz and Dennis fail to correct the deficiencies of Stroud above 
because neither of these references describes the features of Claims 1 and 13 quoted above. 

Accordingly, it is respectfully requested that the rejections of Claims 1-15 be 
reconsidered and withdrawn, and that Claims 1-15 be found allowable. 

Consequently, for the reasons discussed in detail above, no further issues are believed 
to be outstanding in the present application, and the present application is believed to be in 
condition for formal allowance. Therefore, a Notice of Allowance is earnestly solicited. 

Should the Examiner deem that any further action is necessary to place this 
application in even better form for allowance, the Examiner is encouraged to contact the 
undersigned representative at the below-listed telephone number. 



Respectfully submitted. 
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Application No. 10/591,433 
Marked-Up Specification 



DESCRIPTION 



SAFETY PROTECTION INSTRUMENTATION SYSTEM AND METHOD OF 



OPERATING THE SYSTEM 



Technical Field 

The present invention relates to a safety protection instrumentation system that 
includes a reliable digital signal processing apparatus and is used in, for example, a safety 
protection system in a nuclear plant. ^^ dThe invention also relates to a method of operating 
or handling the safety protection instrumentation system. 

Background Art 

Nuclear plants are provided with safety protection instrumentation systems for 
preventing or suppressing failures that can degrade the safety of the plants^ or that are 



instrumentation system is intended to provide each operating circuit with information 
indicating conditions for isolating parts where the radiation dose ishas increased^ or as 
actuating emergency gas treatment apparatus in order to suppress radioactive material from 
leaking outside the plant if the radiation dose in the plant i shas increased for any reason. 

In recent plants, a digital signal processing technology is applied to these radiation- 
measuring apparatuses in the safety protection instrumentation systems. In the digital signal 
processing, CPUs perform digital calculation involving a digital filter and/or multiple signals 
(for example, refer to Japanese Patent Application No. 2653522). In contrast, there are 
systems using ASIC/FPGA (Apphcation Specific Integrated Circuit/Field Programmable 
Gate Array), which is hardware logic, without using the CPUs (for example, refer to USP No. 
5859884). In such systems, instead of the CPUs, ASICs control the procedures to simplify 
the operations. 




expected to occur. A radiation measxiring apparatus in the safety protection 
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The safety protection instrumentation systems serving an important function are 
required to, for example, prevent function loss due to single failure by providing multiple or 
independent devices. In the digital systems using software, the function of the multiplexed 
devices can be lost due to software failure when the same software is used in the redundant 
systems. In addition, since the digital processing is discrete processing, the possibility of 
unexpected behaviors, such as abnormal outputs due to intemal failure, in the digital systems 
is higher than that in analog devices if a series of specific conditions imfortunately occur. 

Accordingly, it is necessary not only to perform a quality assurance activity for 
ensuring high quality throughout the design and manufacturing but also to eliminate failures 
due to common factors caused by sofl^^are faults and to adopt appropriate protective means 
against modifications out of control in the digital processing using software. Particularly, a 
verification and validation activity (hereinafter referred to as "V&V") is performed as one 
method of preventingSie failures due to common factors caused by software faults. The 
"V&V" is a quality assurance activity including verification of whether the fiinctions required 
of the digital protection systems are correctly reflected firom upper processes of software 
design and manufacturing to lower processes thereof and validation of fiiU realization of the 
required functions in the systems manufactured through the verification. 

In contrast, since feesystems using the ASICs or FPGAs, instead of feeCPUs, 
are finally built as hard- wired logic, the processing is determinant and, therefore, the 
processing time is determinable, xmlike the processing by the CPUs. The systems using the 
FPGAs can be assumed a sto be semiconductor devices having the digital logic, so that it is 
possible to verify the systems by the use of methods of testing the semiconductor devices. 
Specifically, it is possible to fully verify stationary input-output characteristics other than 
failures due to timing if the outputs corresponding to all the inputs and all the intemal states 
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in the logic of the semiconductor devices can be compared with predicted values calculated 
from design specifications. This verification method is called exhaustive testing. 

However, since combining the number of full input bits with the intemal states of the 
device produces a large number of pattems in the actual ASIC device and th e like , it is 
difficult to compare all the output pattems corresponding to all the input and intemal-state 
pattems with the predicted values. Accordingly, it becomes important to evaluate an input 
pattern sequence in which failures can be efficiently found. For example, the logic pattems 
in the device are evaluated to estimate input pattern groups in which the intemal registers 
operate at least one time or "stack at fault" fault models, or the input pattems sequence, in 
which failures can be found are calculated by fault simulation. 

However, since only some of the input pattems are tested in the above verification 
method, there are problems in that faults occurring due to the combination of the intemal 
logiC;, or faults that are not estimated in the fault simulation cannot be detected. 

Li addition, in a process of implementing the logic in hardware, such as FPGA, it is 
necessary to prepare software in which the stmcture of the hardware is described and to 
prepare a general-purpose software tool, such as a synthesis tool for converting the software 
(HDL: Hardware Description Language) into the actual logic of the FPGA. Consequently, it 
is necessary to ensure a higher reliability even in the design phase in order to eliminate the 
faults in off-the-shelf software. 

If the above-mentioned exhaustive testing can be used in performance verification of 
an instrumentation system, it is possible to indicate that there is no static logic error (no 
determinate logic error). However, if the above verification method cannot be carried out, it 
seems that the verification, such as the V&V, is required as in the known software. 

The system using the FPGA performs determinant processing, unlike the processing 
by the CPU, and the processing time is generally determinable. In addition, the system using 
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the FPGA is characterized by easily meeting the design conditions for building a highly 
reliable system because a single loop executes only one process. 

As described above, in terms of the verification of the instrumentation system, 
implementing the safety system for a nuclear plant in^ hardware logic gives greater benefit. 
However, the challenge is to validate the instrumentation system in the verification level 
equivalent to ^exhaustive testing. Consequently, there is demand for a system allowing 
easy confirmation of whether the output characteristics corresponding to the inputs comply 
with the design specifications and for a verification method using the system. 

In addition to the static logic error, described above, errors due to intemal operation 
timing can occur. For example, if the delay time of the transmission in the intemal logic is 
varied due to environmental conditions^ including temperature, the system can operate 
improperl yoporato d e p e nding on ambi e nt conditions . In data exchange with an asynchronous 
unit, such as an external unit, determinant values might not be yielded depending on the 
acceptance timing of the data. 

In order to prevent feeerrors due totfee timing, it is necessary to design the system 
allowing for errors by timing simulation or the like^ and to apply a general design 
technique, such as adoption of a synchronous design in which the values are less apt to be 
indeterminate, to the extemal interface. 

In other words, it is important to adopt structures and test methods capable of 
preventing fee errors due to fee timing even in the safety systems using the FPGAs and there 
is a demand for development of systems having such structures and test methods. 

Disclosure of The Invention 

The present invention was conceived in consideration of the above circumstances and 
an object of the present invention is to provide a safety protection instrumentation system for 
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a nuclear reactor, which uses hardware logic, such as FPGA, and is capable of preventing 
static logic errors and errors due to the timing of signal processing and to provide a method of 
operating (handling) the safety protection instrumentation system. 

In order to solve the above problem, according to the present invention, there is 
provided a safety protection instrumentation system for a nuclear reactor, which is 
constructed by using adigital logic, wherein the digital logic includes functional units in 
which output logic pattems corresponding to all input logic pattems are verified in advance 
and a functional module formed by combining the functional units. 

The safety protection instrumentation system having the above features can be 
embodied in the following modes. 

Each of the functional iHHtumts may individually implement the output logic pattems 
corresponding to all the input logic pattems on hardware and may determine whether the 
output values coincide with predicted values calculated firom design specifications. 

The functional module may include only the functional units having the same gate 
structure as that of the functional \mits whose performance is verified in advance. 

The functional module formed by a combination of the functional units may include a 
register thorough, through which outputs firom the functional units are transmitted and a delay 
element used for adjusting the timings of signal processing in the functional units. 

The functional module formed by a combination of the functional units may include a 
register thorough, t hrough which outputs firom the functional imits are transmitted and may 
use handshaking for transferring signals between the functional units that drive the register at 
different clock frequencies, among the functional imits. 

The safety protection instrumentation system can includefee digital legieslogic 
circuits converted from software (HDL) in which effective programs statements executed by 
hardware and input pattem groups indicating operation paths are described, can use branch 
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coverage or toggle coverage tisedfor evaluating the ratio of the input logic patterns or 
determining whether the number of the input patterns is sufficient, and can determine whether 
the output logic patterns corresponding to the input logic patterns coincide with predicted 
pattems calculated from design specifications to verify the connection between the functional 
units. 

It is possible to structure the safety protection instrumentation system so as to 
generate input pattems in accordance with design specifications of the functional module and 
so as to determine whether the output pattems corresponding to the input pattems in the 
functional module coincide with predicted values calculated from the design specifications. 

The safety protection instrumentation system can include an analog-to-digital element 
that converts an analog signal pattern in accordance with design specifications of the 
functional module into a digital value to generate a digital input pattern and a digital-to- 
analog element that converts an output corresponding to an input in the functional module 
into an analog value, and can determine whether the analog value coincides with a predicted 
value calculated from the design specifications. 

The safety protection instrumentation system can perform addition or comparison of 
two variables in the functional unit to replace either one of the two variables with a constant 
that can be specified with an address having the number of bits smaller than that of the 
variable. 

The functional unit may have a function of passing an operation flag indicating 
normal completion of the operation, the functional module may have a function of monitoring 
the operation flag, and the safety protection instrumentation system may include a trip 
evaluator that receives an output from the functional module and determines whether the 
operation flag is set^ and an abnormality diagnosis circuit that outputs an abnormal operation 
signal if the operation flag is not set. 
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The functional unit may have a function of calculating maximum and minimum 
output values by a simple expression and a function of passing the maximum and minimum 
output values. The safety protection instrumentation system may include a trip e valuator that 
compares signal values with the maximum and minimxmi output values to determine whether 
the signal values are appropriate^ and an abnormality diagnosis circuit that outputs an 
abnormal operation signal. 

The safety protection instrumentation system can include a first safety protection 
instrumentation system that converts a digital output into an analog value and converts the 
analog value into an optical signal^ and a second safety protection instrumentation system that 
converts the optical signal into an analog value and converts the analog value into a digital 
value. The first safety protection instrumentation system can be connected to the second 
safety protection instrumentation system. 

According to the present invention, the above object is obiects are achieved by 
providing a method of operating a safety protection instrumentation system for a nuclear 
reactor, including digital logic, wherein output logic pattems corresponding to all input logic 
patterns into functional units in the safety protection instrumentation system are verified in 
advance. 

In the above method, data processing in the functional units in the safety protection 
instrumentation system may be serially performed in the order of connection, and the serial 
transmission of a signal may be confirmed by monitoring an output timing and whether the 
signal is output as designed may be determined to verify the performance of the safety 
protection instrumentation system. 

The functional imits may include th e st e p of verifying whether the functional units in 
the safety protection instrumentation system have the same structur e as the internal structure 
when the performance of the functional units is verified. 
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With the safety protection instrumentation system and the method of operating the 
system, having the above features, according to the present invention, it is possible to 
improve the safety of the safety system for the nuclear reactor using the hardware logic by 
preventing logic errors or errors due to the timing of the signal processing. 

Brief Description of The Drawings 

Fig. 1 is a block diagram showing a logic structure of a safety protection 
instrumentation system of the present invention, including functional units whose input- 
output characteristics are verified. 

Fig. 2 is a block diagram showing a logic structure in which the input-output 
characteristics of the functional units are tested. 

Fig. 3 is a block diagram illustrating the internal logic structure of a functional 
module. 

Fig. 4 is a block diagram illustrating synchronization of the clock frequency between 
the functional modules and signal transmission by handshaking in asynchronous sections. 

Fig. 5 illustrates a logic structure test using branch coverage as an index. 

Fig. 6 is a block diagram illustrating verification of a signal by the use of AD and DA 
elements. 

Fig. 7 illustrates a wayfeew to adjust the level of an input signal to verify any error. 

Fig. 8 illustrates a way feewto verify frequency characteristics of signals. 

Fig. 9 is a block diagram illustrating a way feewto decrease the number of test pattems 
of the functional units by the use of a lookup table. 

Fig. 10 is a block diagram illustrating a first self-diagnostic method in the safety 
protection instrumentation system of the present invention. 
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Fig. 1 1 is a block diagram illustrating a second self-diagnostic method in the safety 
protection instrumentation system of the present invention. 

Fig. 12 is a block diagram illustrating signal separation in the safety protection 
instrumentation system of the present invention. 

Fig. 13 is a block diagram showing a logic structure of the safety protection 
instrumentation system, in which a first safety protection instrumentation system is connected 
to a second safety protection instrumentation system. 

Fig. 14 is a block diagram illustrating a wayhew to monitor a serial operation and 
timings of the functional units to verify and diagnose the safety protection instrumentation 
system of the present invention. 

Fig. 15 is a schematic diagram showing an example in which output timings are 
monitored in the safety protection instrumentation system of the present invention. 

Fig. 16 is a block diagram showing an example of the connected functional units in 
the safety protection instrumentation system of the present invention. 

Best Mode for Carrying Out The Invention 

Embodiments of a safety protection instrumentation system for a nuclear reactor 
according to the present invention will be described with reference to the accompanying 
drawings. 

(First Embodiment) 

Fig. 1 is a block diagram showing a logic structure of a safety protection 
instrumentation system according to a first embodiment of the present invention. 

Referring to Fig. 1, outputs from sensors la and lb disposed in a nuclear reactor are 
supplied to a safety protection instrumentation system 2 that detects any error and outputs a 
trip signal. The safety protection instrumentation system 2 includes AD elements 3a and 3b 
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that perform waveform shaping for the analog signals output from the sensors la and lb, 
amplify the analog signals, and convert the amplified analog signals into digital values. The 
digital values supplied from the AD elements 3a and 3b are subjected to signal conversion in 
filter circuits 4a and 4b. The filter circuits 4a and 4b each include multiple fixnctional units 5. 
In the safety protection instrumentation system 2 in Fig. 1, the filter circuit 4a, the filter 
circuit 4b, a signal processing circuit 6, and a trip evaluator 7 are functional modules. 

The logic structure and operation of each of the fixnctional imits 5 will be described 
hereunder. 

The fiinctional units 5 include, for example, a D flip-flop, a latch, an 8-bit decoder, an 
8-bit counter, an 8-bit serial-to-parallel converter, an 8-bit adder, an 8-bit multiplier, and an 
8-bit comparator. The fiinctional units 5 are logic capable of confirming whether the output 
patterns corresponding to all the input pattems in the fimctional units 5 coincide with the 
predicted pattems calculated from design specifications. 

The number of input bits, which is eight in the first embodiment, is limited to the 
number of bits that can be actually tested. Using the fimctional units 5 in which all the input 
pattems are verified to build each intemal fimction (fiinctional module) and the entire safety 
protection instrumentation system for a nuclear reactor can realize the safety protection 
instrumentation system with a higher reliability, capable of verification for all the input 
pattems. 

Fig. 2 is a block diagram showing a logic structure in which a fiinctional imit 5a is 
tested. Alphabetic characters are added to the fiinctional units 5 in order to discriminate the 
fimctional units 5 having different logic structures in the following description. The 
functional unit 5 with no any alphabetic character means the fimctional imit describing a 
common logic structure. 



As shown in Fig. 2, the functional unit 5a is implemented in actual hardware to 
receive a signal supplied from a digital signal generator 8. An output from the ftmctional unit 
5a is measured in a signal recorder 9 and the measured signal is supplied to an evaluator 10. 
The evaluator 10 compares the received signal with a predicted pattem corresponding to the 
input pattem to detect any error occurring in the fiinctional unit 5a. If no error is detected for 
all the input patterns in the functional unit 5 a, the ftmctional unit 5 a is validated. 

As described above, implementing the ftmctional unit in the FPGA, which is actual 
hardware, to test the functional unit ftUewspennits errors in off-the-shelf software^ including a 
synthesis tool and a writing tool in the FPGA^ to be simultaneously verified. 

The ftmctional unit 5 includes basic elements specific to the FPGA hardware, such as 
an AND circuit and an OR circuit. However, when the ftmctional xmits 5 are combined with 
each other to realize the ftmctional module, the ftmctional module having a logic structure 
different from the logic structure when the ftmctional imit 5 is verified alone is implemented 
in the hardware because the synthesis tool optimizes the logic or the combination of the basic 
elements. Accordingly, options of the synthesis tool or a place and route tool to be 
implemented in the FPGA are selected so as not to optimize the logic structxire when the 
functional units 5 are combined with each other and it is confirmed whether the same logic 
structure as the one used in the verification is implemented in the ftmctional module, before 
the functional module is built. 

Further, after the entire safety protection instrumentation system is completed, 
feevisual checking of th e fact whether the internal ftmctional units 5 have the same logic 
structure as in the testing is made so as to confirm whether the safety protection 
instrumentation system includes the verified ftmctional units 5. 
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Fig. 3 is a block diagram showing a logic structure in which the functional units 5 are 
implemented in the filter circuit 4a. Fig. 3 shows the functional module including the 
functional unit 5a tested in the logic structure in Fig. 2. 

Adopting a logic structure including a flip-flop that outputs a signal allows the 
functional unit 5a to be implemented in the functional module with the intemal logic structure 
being kept. For example, a 24-bit adder can be formed by combining two verified 12-bit 
adders. The safety protection instrumentation system according to the present invention is 
provided with a flip-flop for every output firom the 12-bit adders in order to keepretain the 
logic structure of the 12-bit adder. The flip-flop indicates two circuits configured to keep 
thea stable state. The output from the 12-bit adder having the above logic structure delays by 
the amount corresponding to two clock periods on the assumption that the flip-flop operates 
at one clock frequency. 

In the safety protection instrumentation system according to the present invention, an 
arithmetic circuit that has a large number of input bits and outputs the arithmetic result at one 
clock frequency is divided into functional units 5a, 5b, and 5c which have a small number of 
input bits and whose function can be verified to yield the arithmetic results at multiple clock 
frequencies. This logic structure can realize easy verification of the functions corresponding 
to all the input pattems and can prevent errors due to the timing of the logic. 

The timing error occurs when the delay time caused by a combination of the logic 
between the flip-flops becomes longer than the clock period during which the flip-flop is 
driven. The division of the combined circuit, as in the safety protection instrumentation 
system according to the first embodiment, can shorten the delay time and allows the timings 
to be individually verified. Since the number of clocks before the output has been yielded is 
varied depending on the number of combinations of the functional units in the logic structure 
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shown in Fig. 3, a delay element 11 is provided to adjust the timings when comparison 
between two signals or addition thereof is to be performed. 

Fig. 4 is a block diagram showing a logic structure in which a clock signal and data 
are transferred between the functional units. 

In order to reduce the number of feetiming errors during the data transfer between the 
functional units 5, a logic structure is adopted in which the flip-flops in the functional units 5 
are driven in the same clock period and at the same timing, such as at a clock rising edge. 

When the functional vmits 5 are driven in different clock periods, using handshaking 
for determining whether the data can be transmitted and received between the functional unit 
5b and the signal processing circuit 6, as shown in Fig. 4, to ensure the data transfer can 
eliminate the timing errors due to the connection of the functional units. 

As described above, according to the safety protection instrumentation system of the 
first embodiment, incorporating the functional units whose input and output pattems are 
verified into each functional module with the intemal logic structure being kep tretained can 
eliminate any stationary logic error. In addition, the provision of the flip-flop in each 
functional unit can design the safety protection instrumentation system allowin p so as to allow 
for the timing errors, which are also likely to occur, thus facilitating the verification of the 
timing in the functional module. Furthermore, the use of the handshaking in the data transfer 
between the functional units can eliminate the timing errors due to the connection of the 
functional units. 
(Second Embodiment) 

Since the logic in the functional units normally functions in the safety protection 
instrumentation system according to the first embodiment, it is possible to eliminate the 
timing errors by normal connection of the logic. However, there is a possibility that the 
functional units are incorrectly connected to each other or the software includes functional 



- 14- 

units that are not described in the design specifications. A safety protection instrumentation 
system according to a second embodiment of the present invention will be described as a 
method of resolving the above problems. 

Fig. 5 shows one example of software (VHDL statements) describing a comparator, 
according to the safety protection instrumentation system of the second embodiment. 

The functional unit 5a is invoked by a "port" statement in the VHDL description. 
Since the numeric pattems in the functional xmit 5 a have been verified in advance, it is 
determined that the functional units are correctly connected to each other if normal 
invocation of the functional unit 5a can be confirmed in the VHDL grammar. 

Specifically, if the operation of the VHDL statements contributable to actual 
execution of the VHDL statements, excluding the definition statements and the sections 
corresponding to redundant processing generated in preparation for abnormalities, among the 
VHDL statements in Fig. 5 can be verified in the logic structure according to the second 
embodiment, it is possible to determine that the functional units are correctly connected to 
each other. 

Coverage is generally used as one parameter used for determining whether the VHDL 
statements are executed. The ratio of the VHDL statements executed in the software to all 
the VHDL statements is called statement coverage. If the VHDL statements include any 
branch, such as an "IF" statement, the ratio of the number of executed paths, given by 
counting both the success and the failure of the branch, to the number of pattems in the entire 
path is called branch coverage. The ratio of the signals whose level is shifted from "High" to 
"High" through "Low" (High-*Low-^High) to the signals in the functional units 5 is called 
toggle coverage. 

The safety protection instrumentation system according to the second embodiment 
uses the branch coverage or the toggle coverage as an evaluation index to generate the input 
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pattem groups in which all the branch conditions succeed. The safety protection 
instrumentation system determines that the functional imits are correctly connected to each 
other if the output pattems corresponding to the input patterns coincide with the predicted 
patterns calculated from the design specifications. Particularly, the toggle coverage can be 
evaluated in a netlist after the logic synthesis and is not likely to be affected by the logic 
synthesis. 

The correct connection of the functional units 5 can be confirmed by a fimctional test 
for confirming whether the functional module has the same fiinction as in the design 
specifications. Specifically, the connection of the fimctional units can be verified by 
generating the input pattem groups used for confirming the performance described in the 
specifications and comparing the outputs corresponding to the input pattem groups with the 
predicted values to determine whether there is no difference between the outputs and the 
predicted values. 

In the fimctional test for confirming the fimctions of the fimctional module, the digital 
values are input and the digital outputs are compared with the predicted values to determine 
whether there is any difference between the outputs and the predicted values. However, in 
the comparison of the digital values, it takes several microseconds to several milliseconds to 
test one pattem and, therefore, it is difficult to quickly evaluate the many signal pattems. 

Accordingly, as shown in Fig. 6, a signal output from an analog signal generator 12 is 
supplied to the fimctional module 4a through an A/D element 13. The signal output from the 
functional module 4a is converted into an analog signal in a D/A element 14 and the analog 
signal is measured by an analog signal recorder 15. The measured signal can be compared 
with the predicted value calculated from the design specifications to quickly determine 
whether there is a difference between the output value and the predicted value. In the method 
using the A/D element 13 and the D/A element 14, as in the example according to the second 
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embodiment, a significant amount of variation that exceeds the measurement accuracy and 
affects the measurement result can be detected to verify the function^, ahhough oA minor 
difference cannot be detected, unUke the comparison of the digital values. In addition, since 
the many pattems can be quickly processed, the method is effective for detection of 
discontinuous points or singular points specific to the digital values. 

Methods of selecting a test pattem used in the functional test will be described with 
reference to Figs. 7 and 8. Fig. 7 shows an example of a method of selecting a level of the 
input signal when the functional module, which is a filter circuit, is verified. Referring to 
Fig. 7, the vertical axis schematically represents the bit width of numerical values and the 
horizontal axis represents the amount of processed logic. 

If an error occurs in a procedure having a certain number of bits in the functional 
module, which is a filter circuit, the error is propagated to the downstream processing, as 
shown in Fig. 7, with no limitation on the values because the filter circuit is a linear circuit. 
If the output is subjected to the D/A conversion and the analog value is evaluated, a variation 
in a lower bit of the output cannot be measured due to an effect of the D/A element and a 
noise in the circuit. 

Accordingly, dividing the level of the input signal into, for example, levels Tl to T4 
and measuring the variation in the output ranges corresponding to the respective input levels 
can detect any error of a full bit width in the digital value. In other words, adjusting the level 
of the input signal in accordance with the detection accuracy of the errors in the output allows 
any error inside the filter circuit to be detected. 

Fig. 8 illustrates a way hewto select a measuring point of the fi"equency when the 
fi-equency characteristics are tested. 

Since the digital filter is a linear time invariant system, the digital filter can be 
evaluated by the use of a typical frequency if it is designed so as not to cause overflow. In 
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addition, since the digital filter has a frequency characteristic that returns back at a point half 
of the sampling frequency, the frequency characteristics are basically verified in a frequency 
range lower than the half of the sampling frequency. Li a range not less than the half of the 
sampling frequency, only valleys appearing at frequencies that are multiples of the half of the 
sampling frequency are detected. 

A frequency characteristic given by combining a high-pass filter having a sampling 
frequency of 1 MHz with a low-pass filter having a sampling frequency of 40 MHz is shown 
in the waveform example in Fig. 8. Referring to Fig. 8, a solid line represents the frequency 
characteristic of high-pass filter of 1 MHz and a broken line represents the combined 
frequency characteristic. 

Since the frequency characteristic shown by the solid line has a sampling frequency of 
1 MHz, the frequency characteristic returns back at 500 kHz. Accordingly, verifying the 
frequency characteristics in an area A in a frequency range lower than 500 kHz allows the 
characteristics of the high-pass filter to be verified. 

In contrast, in the low-pass filter having a sampling frequency of 40 MHz, shown by 
the broken line, the attenuation characteristics should be verified in a bandwidth lower than 
20 MHz in an area B. However, since the peak and valley characteristics are repeated in the 
frequency range lower than 20 MHz due to the effect of the high-pass filter, the envelop 
curve is evaluated to select frequencies corresponding to the peaks and to verify the 
attenuation characteristics of the low-pass filter. In other words, when the frequency 
characteristics of the digital filter are verified, the frequency band is divided at a frequency 
half of the sampling frequency and a measurement point is selected in accordance with the 
design specifications. 

As described above, according to the safety protection instrumentation system of the 
second embodiment, it is possible to confirm whether all the functional units in the functional 
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module are correctly connected by generating all the input patterns having branch coverage 
of 100% and sequentially validating the output patterns corresponding to the input patterns. 
In addition, the correct connection of the functional units can be validated by the function test 
in which the function of each functional module is tested. In the function test, the 
comparison of the analog signals by the use of the A/D element and the D/A element allows 
continuous testing of the many pattems, thus easily verifying the performance of the safety 
protection instrumentation system for the nuclear reactor. 
(Third Embodiment) 

Fig. 9 shows test ranges when the output pattems corresponding to the input pattems 
are verified by the use of an adder 16. 

In a test range A' including only the adder 16 as the functional imit, since the adder 
receives two 16-bit inputs and the number of all the input pattems is equal to 2(16+16), it is 
difficult to verify the input pattems in a few days. However, a signal variable is multiplied 
by a constant number in most pattems in the filtering. 

Consequently, as shown in Fig. 9, the safety protection instrumentation system of the 
third embodiment has a logic structure in which a constant is selected from a lookup table 
(LUT) and the selected constant is supplied to the adder 16. 

When a test range B* is used as the functional unit in the safety protection 
instrumentation system having the above logic structure, the data to be selected has a four-bit 
address. Accordingly, since the number of input bits in the test range B' is 4 + 16 = 20 and 
the number of test pattems is equal to 2(4+16), it is easy to test and evaluate the outputs 
corresponding to all the input pattems. 

As described above, according to the safety protection instrumentation system of the 
third embodiment, providing the lookup table in the functional unit allows the number of all 
the input pattems to be decreased. 



- 19- 

(Fourth Embodiment) 

Fig. 10 is a diagram illustrating a self-diagnostic function in the safety protection 
instrumentation system for the nuclear reactor, including the functional units in which the 
logic patterns are verified. 

Since the functional module includes Siemany functional units 5, the outputs from the 
functional module are delayed by the amount corresponding to several clock periods. 
Accordingly, in normal termination, an operation flag is transmitted to the destination 
functional module, along with the output data. This operation flag is transferred between the 
multiple functional modules by relay. A diagnostic circuit 18 for detecting abnormalities 
determines whether the operation flag is set in a trip evaluator 7. If thecharacteristics 
geatl vsignificantlv different from#^ normal characteristics are found, for example, if the 
operation flag does not exist over a predetermined time period, the diagnostic circuit 18 
outputs an abnormal operation signal. 

In addition, the diagnostic circuit 18 calculates a range of the output pattem 
corresponding to the input pattem of each functional module by an approximate expression, 
in addition to the operation flag, as shown in Fig. 11. If the actual output value is not within 
the range, the diagnostic circuit 18 outputs the abnormal operation signal. 

According to the fourth embodiment, since the flag or the numerical range is set for 
every functional unit or functional module and the self-diagnostic function is provided, it is 
possible to prevent errors occurring after the safety protection instrumentation system has 
been mounted in the plant. 
(Fifth Embodiment) 

Fig. 12 is a diagram illustrating signal separation in the safety protection 
instrumentation system for the nuclear reactor, including the functional units in which the 
logic pattems are verified. 
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Optical transmission is adopted in the fifth embodiment in order to ensure the 
independency of the signal transmission in a first safety protection instrumentation system 2b 
and a second safety protection instrumentation system 2c. Specifically, in the first safety 
protection instrumentation system 2b from which signals are transmitted, transmission data is 
converted into an analog signal in a D/A element 14 and the analog signal is subjected to 
electrical-to-optical conversion in an EO converter (electrical-to-optical converter) 19 that 
transmits data concerning the light intensity or modulated data. In contrast, in the second 
safety protection instrumentation system 2c in which the signals are received, the data 
concerning the light intensity or the modulated data is subjected to optical-to-electrical 
conversion in an OE converter (optical-to-electrical converter) 20 and the data is converted 
into the digital value in an A/D element 13. 

In a logic structure shown in Fig. 13, in the first safety protection instrumentation 
system 2b, digital data processed in the FPGA is converted into an analog signal in the D/A 
element 14 and the analog signal is converted into the digital data again in the A/D element 
13. The digital data is converted into the optical digital data in the EO converter 19, and the 
optical digital data is supplied to the second safety protection instrumentation system 2c. In 
the second safety protection instrumentation system 2c, the digital optical data supplied from 
the first safety protection instrumentation system 2b is converted into the digital data in the 
OE converter 20 and the digital data is used in the digital processing. 

When the same digital value is distributed among multiple independent systems, the 
systems can simultaneously fail in response to the same input data if software malfunctioning 
in a certain data pattem exists in the systems. Accordingly, the safety protection 
instrumentation system according to the fifth embodiment converts data into the analog value 
to add a noise component to the transmitted signal. As a result, it is possible to prevent the 
same digital data from being simultaneously transmitted to different systems. 
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According to the safety protection instrumentation system of the fifth embodiment, it 
is possible to ensure the independency of the safety protection instrumentation system for the 
nuclear reactor, using the functional units, and to reduce the rate of occurrence oflhe common 
mode failure, which is a challenge of the safety system adopting feedigital signal processing. 
(Sixth Embodiment) 

Fig. 14 is a block diagram showing a basic logic structure of a safety protection 
instrumentation system according to a sixth embodiment of the present invention. 

In the safety protection instrumentation system in Fig. 14, the functional units 5 a, 5b, 
and 5c are connected to each other and these functional xmits are stored in one FPGA. 

The signal transmitted among these functional units is output in synchronization with 
the clock firequency owing to the presence of the flip-flop. The functional units may have 
different timings at which the signal is output. The safety protection instrumentation system 
according to the sixth embodiment has a logic structure in which the functional units 
sequentially transmit a baton, which is data, to perform the processing. For example, the 
output from the functional unit 5a is supplied to the functional unit 5b and, then, the signal 
processing is performed in the functional unit 5b. 

In the logic structure having the functional units connected therein, the entire 
processing operation can be verified by monitoring the timing at which the baton (data) is 
transmitted. Specifically, as shown in Fig. 14, external pins A21, B22, C23, and D24 are 
used to monitor the signals output from the functional units and to verify whether the 
functional units operate at the timings as designed. During the operation, monitoring any 
shift of the timings allows any operational failure to be detected. 

Fig. 15 shows an example in which the output timings of the intemal functional units 
are actually monitored firom the external pin outside the FPGA. Referring to Fig. 15, an input 
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signal is shown in the bottom hne. The output signals from the extemal pins A21, B22, C23, 
D24, and E25 are shown in the upper Unes. 

When a signal (data) in the bottom line is input, the signal is sequentially transmitted 
to the logic from the bottom and the signal is finally output from the top output stage. The 
transmission timings of the signals can be confirmed on the basis of the multiple logic signals 
shown in Fig. 15. The transmission timings of the logic signals are specific to the design, and 
the timings of the logic signals can be monitored to verify whether the logic is implemented 
in the FPGA as designed. Providing an additional function of monitoring the timings of the 
logic signals even during the normal operation allows monitoring of any malfimction of the 
logic operation, caused by an increased delay time of the intemal signal lines due to abnormal 
heating during the operation or the like. 

According to the sixth embodiment, the safety protection instrumentation system is 
structured such that the functional units serially operate and sequentially transmit the signal. 
The transmission timings of the signals can be monitored to verify whether the logic is 
implemented in the FPGA as designed. In addition, the transmission order and timings of the 
signals can be monitored as an abnormality diagnosis method to build the higher reliable 
safety protection instrumentation system. 
(Seventh Embodiment) 

Fig. 16 is a block diagram showing a logic structure of a safety protection 
instrumentation system according to a seventh embodiment. 

The safety protection instrumentation system shown in Fig. 16 has a logic structure, 
for example, in which the same four fimctional units 5 are connected in series and the signals 
are output in synchronization with the clock frequency owing to the presence of the flip- 
flops. Li the safety protection instrumentation system having the above structure, the 
verification of whether the fimctional units 5 has the same logic structure as the single 
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functional unit 5 before the connection can ensure that the same functions as the ones verified 
in the single functional unit 5 are implemented in the safety protection instrumentation 

system. 

Specifically, in the functional units 5 of the safety protection instrumentation system 
shown in Fig. 16, the soundness of the performance has been validated in the testing of the 
single functional unit. The soundness of the functional units 5 in the safety protection 
instrumentation system can be ensured by connecting the functional units 5 in the manner 
shown in Fig. 16 and visually verifying whether the performance is kept after the synthesis. 

Industrial Applicability 

Li the safety protection instrumentation system and the method of operating the 
system according to the present invention, it is possible to improve the safety of the safety 
system for the nuclear reactor using the hardware logic by preventing logic errors or errors 
caused by the timings of the signal processing. Hence, the present invention is highly 
available for the operation of the nuclear reactor. 
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ABSTRACT 



A safety protection instrumentation system for a nuclear reactor is constructed by 
usinga digital logic^^ in which th e The digital logic includes functional units in which output 
logic patterns corresponding to all input logic patterns are verified in advance and a 
functional module formed by combining the functional units. 
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